← Back to Home

Privacy Policy

Last Updated: April 2026 | Version 1.0

1. Data Controller

GatiFlow ("we", "us") acts as data controller for Account Data (information about our customers) and as an independent controller for Source Data (public information used to generate intelligence reports).

Contact: privacy@gatiflow.io

2. Data We Collect

2.1 Account Data (about you, our customer)

• Email address, organization name, full name (optional) — provided at registration

• Password — stored exclusively as bcrypt hash, never in plaintext

• Billing information — processed by Stripe Inc.; we receive only customer and subscription identifiers

• API usage events — endpoint, HTTP status, timestamp — retained for 90 days

• Consent records — timestamp and policy version accepted

• Topics of interest — configured by you for personalized reports

2.2 Source Data (about individuals appearing in reports)

We collect publicly available information from: GitHub (public profiles, repositories, contribution graphs), StackOverflow (public questions and tags), HackerNews (public posts and comments), Dev.to (public articles), arXiv (public research papers), OpenReview (public peer-review records), npm (public package metadata and download statistics), PyPI (public package metadata and download statistics), Adzuna (public job listings), Remotive (public job listings), HuggingFace (public model and dataset metadata), and SEC EDGAR (public regulatory filings of legal entities, used solely for entity-level signals — no natural-person data is extracted from this source).

Fields collected may include: public username, display name, public bio excerpt, company affiliation (if publicly listed), public repository metadata, follower/contribution counts.

We do NOT collect: email addresses, private messages, paywalled content, private repositories, authentication-gated data, or any data marked as restricted by robots.txt.

2.3 Technical Data

• IP address — used for rate limiting and security; not stored long-term

• Request metadata — method, path, latency — for operational monitoring

3. Legal Basis for Processing

GDPR (EU) — Article 6

Account Data: Contract performance (Art. 6(1)(b)) — necessary to provide the Service

Billing Data: Legal obligation (Art. 6(1)(c)) — tax and financial record-keeping

Source Data: Legitimate interest (Art. 6(1)(f)) — aggregating publicly available information for market intelligence. We have conducted a Legitimate Interest Assessment (LIA) balancing our business interest against the rights and expectations of data subjects. The LIA is available upon request at privacy@gatiflow.io.

LGPD (Brazil) — Article 7

• Account Data: Contract execution (Art. 7, V)

• Source Data: Legitimate interest for publicly available data (Art. 7, IX)

CCPA (California)

• Source Data qualifies as publicly available information under Cal. Civ. Code § 1798.140(v)(2). We do not sell personal information.

4. Your Rights

4.1 Customer Rights (Account Data)

Access: Export all your data via Settings → Data & Privacy → Export (GDPR Art. 15, LGPD Art. 18)

Rectification: Update your profile via Settings (GDPR Art. 16)

Erasure: Delete your organization via Settings → Delete Account — irreversible (GDPR Art. 17, LGPD Art. 18)

Portability: Export returns machine-readable JSON (GDPR Art. 20)

Restriction/Objection: Contact privacy@gatiflow.io (GDPR Arts. 18, 21)

4.2 Data Subject Rights (Source Data — individuals in reports)

Opt-out: Any individual whose public data appears in GatiFlow reports may request removal at /opt-out or by emailing privacy@gatiflow.io with your platform username

Processing is limited to: publicly available data only, aggregated into market-level intelligence, with no profiling for automated individual decisions

• Opt-out requests are processed within 15 business days (LGPD Art. 19) — well within GDPR Art. 12 (one month)

5. Data Retention

• Account Data: retained while account is active + 90 days after deletion for legal compliance

• Usage Events: 90 days (configurable via USAGE_RETENTION_DAYS)

• Audit Logs: 1 year

• Source Data cache: 7 hours (Redis TTL, auto-expires)

• Signal snapshots: 60 days

• Deep Dive articles: permanent (published content)

6. Data Sharing & Processors

We do not sell personal data. We share data with the following processors strictly for service delivery:

Stripe Inc. (billing) — USA, SCCs in place

Railway Corp. (hosting, PostgreSQL, Redis) — USA, SCCs

Vercel Inc. (frontend hosting) — USA, SCCs

Brevo (Sendinblue) (transactional email) — EU

Sentry (Functional Software) (error monitoring) — USA, SCCs — send_default_pii disabled

Anthropic PBC (AI narrative generation) — USA, SCCs — no PII sent to model

7. International Transfers

Data may be processed in the United States. We rely on Standard Contractual Clauses (SCCs) and processor-specific safeguards for EU-US and BR-US transfers.

8. Security Measures

• Passwords: bcrypt hashing (72-byte input limit)

• Authentication: RS256 JWT (asymmetric) or HS256 with 256-bit key

• Transport: HTTPS-only with HSTS preload

• Cookies: HttpOnly, Secure, SameSite=Lax

• API keys: SHA-256 hashed, never stored in plaintext

• Rate limiting: per-IP and per-org with account lockout

• SSRF protection: DNS resolution validation on webhook URLs

• Audit logging: all admin actions logged with actor, timestamp, IP

No system is 100% secure. We recommend using a unique, strong password.

9. Cookies

We use only essential cookies for authentication: access_token and refresh_token (HttpOnly, Secure). No analytics, advertising, or tracking cookies are used. No cookie consent banner is required as these are strictly necessary cookies under ePrivacy Directive Art. 5(3).

10. AI-Generated Content

Executive narratives and Deep Dive articles are generated using Anthropic Claude. All AI-generated content is post-processed by a fact-checking pipeline that verifies numbers against actual collector data. Unverifiable statistics are replaced with qualitative language. AI-generated content is clearly labeled in reports.

11. Children

The Service is not directed to individuals under 16. We do not knowingly collect data from minors. If you believe we have inadvertently collected data from a minor, contact privacy@gatiflow.io.

12. Changes to This Policy

Material changes will be emailed to active account holders at least 30 days before taking effect and will require re-acceptance via Settings. The consent version is tracked in our database per GDPR Art. 7.

13. Data Protection Officer (DPO / Encarregado)

Per LGPD Art. 41 and GDPR Art. 37, our designated Data Protection Officer is the founder and CTO of GatiFlow. For privacy matters, requests under LGPD Art. 18 / GDPR Arts. 15-22, or any concern about how your personal data is processed, contact privacy@gatiflow.io. The DPO is the same individual responsible for the operations of the platform, ensuring direct accountability under the principle of the controller (LGPD Art. 5°, VI).

14. Complaints

If you are not satisfied with our response, you may lodge a complaint with your local data protection authority (e.g., ANPD in Brazil, CNIL in France, ICO in the UK).

15. Contact

Privacy inquiries: privacy@gatiflow.io